| Re: [jakartaee-tck-dev] TCK-1867: Single LICENSE.md file embedded in the .zip. |
This still leaves open a hole of directly using the maven central
published test artifacts in a CCR by simply providing the checksums of
the test artifacts and having that matched to the checksums in the
official zip. The TCK zip distribution now includes:
1. a bom for test artifacts to allow one to reference that in a runner
project. That theoretically should be all that is required to
configure the dependencies for a CCR run.
2. an artifacts-sums.txt in the artifacts directory that includes the
SHA1 and MD5 checksums on the staged test artifacts
3. A standalone VerifyHashes.java program that can be run using 'java
VerifyHashes.java' to validate that the distribution test artifacts
match a maven a given repository.
We could even provide a maven plugin that emitted a checksum report of
the test artifacts used in a runner for inclusion in a CCR that simply
indicated if the included test artifacts match the expected TCK
version artifacts as a pass/fail checkbox in the CCR instead of having
to manually validate the SHA256 sum of the TCK dist as done today.
On Mon, Feb 10, 2025 at 8:18 AM Ed Burns via jakartaee-tck-dev
<jakartaee-tck-dev@xxxxxxxxxxx> wrote:
>
> Single LICENSE.md file embedded in the .zip. · Issue #1867 · jakartaee/platform-tck
>
> I believe this is well understood and in hand now. However, I did promise to send an email to tck-dev about this issue, so here it is.
>
> At the 2025-02-04 Jakarta EE Platform project call, Ed Bratt, in his capacity as member of the Jakarta EE Steering and Specification Committees, clarified some important matters regarding TCK license files, and the .zip files.
>
> The SHA of the .zip of the TCK is what matters for certification. The place from which you download it does not matter.
>
> If the SHA sum of the bits of the TCK from the normative location (download, or maven central) match the SHA sum of the bits of the TCK used to run the tests and obtain the results, the certification can be valid.
> In other words, the download location is immaterial as long as the SHA sums match.
>
> Maven central has no prohibition on including EFTL license in binary artifacts included in maven central.
>
> As long as the TCK binary includes all the project license(s) and the EFTL license, the license requirements are met. The TCK will implement this requirement by ensuring there is a single LICENSE.md file which includes the union of all the LICENSE* files in https://github.com/jakartaee/platform-tck .
> The ordering of contents in the LICENSE file is irrelevant.
>
> The top level TCK .zip file, and each .jar file within the .zip file, must have the LICENSE.md file.
>
>
> _______________________________________________
> jakartaee-tck-dev mailing list
> jakartaee-tck-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-tck-dev
_______________________________________________
jakartaee-tck-dev mailing list
jakartaee-tck-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-tck-dev